OpenClaw Release CI Use this with and when a release candidate needs full validation, install/update proof, live provider checks, or CI recovery. Guardrails - No version bump, tag, npm publish, GitHub release, or release promotion without explicit operator approval. - Validate provider secrets before dispatching expensive full release matrices. - Do not set GitHub secrets from unvalidated 1Password candidates. If a candidate returns 401/403, leave the existing secret alone and report the exact missing provider. - Use for secret reads/writes: one persistent tmux session, targeted items only, n…